BTF: Toward the better eBPF Debugging

Presented by:

Gary Lin is a SUSE engineer and long time linux user. He participated openSUSE gnome development and mainly focuses on UEFI related issues now.

No video of the event yet, sorry!

eBPF was introduced into Linux kernel staring from 3.15 and provides the flexibility for the kernel programming. The kernel developers and the administrators can attach eBPF programs to a certain components in the kernel to help the data processing. For example, the root user can craft an eBPF program, attach it to kprobe to extract the information in the kernel, and profile the system in real-time.

In the beginning, the user has to write the eBPF program in assembly. Thanks to the LLVM developers, LLVM/CLANG already can generate eBPF bytecode. Nowadays, the user can just write eBPF programs in C. However, this raises another problem: how to debug the C code.

The kernel can only recognize eBPF bytecode. So, when the eBPF verifier rejects a program, it only shows the assembly code in question. If the user doesn't code in assembly, it may be difficult to identify why the program is rejected.

BPF Type Format (BTF) is proposed to solve the problem. BTF defines the format of the debug information, and an extra section will be created in the eBPF object file. The kernel therefore can match the C code and the bytecode to provide more useful information. This fills the gap between the user and the kernel, so that the user can debug their code easily.